Cyber attacks aimed at stealing data and disrupting systems remain high on the agenda

Irish organisations have experienced a significant uptick in cyber security incidents in the past 24 months and are stepping up their spend and management focus on the issue.

However poor employee awareness, inadequate knowledge of information security at board level and insufficient budgets are still exposing companies to undue risk. That’s according to EY’s Global Information Security Survey (GISS) – Path to Cyber Resilience: Sense, Resist, React. The report was published today to coincide with the expansion of the firm’s dedicated Advanced Security Centre (ASC) facility in Dublin, which is now the largest of its kind for EY in EMEIA.

The survey, conducted amongst 1,735 C-suite leaders and Information Security and IT executives globally, and 54 in Ireland, found that almost three out of four Irish organisations (72%) had experienced a significant cyber security incident, compared to 57% globally. This represents a 29% increase in Irish organisations reporting incidents when compared to 2014 figures – highlighting the ever-growing prevalence of such attacks, and the real risk to companies large and small across Ireland. Indeed, over half (55%) of Irish executives surveyed said that they believe their organisation is unlikely to detect a sophisticated attack on their business, a figure that has barely changed over the past two years. By contrast, only a third (33%) of executives globally say the same today, a significant drop from 56% two years ago.

Not only are Irish businesses therefore vulnerable, many are not fully prepared for dealing with an incident. Although an encouraging 68% have an incident response plan including root cause analysis, two in five (42%) have no communications response strategy for a significant cyber attack involving data compromise, and 15% stated that they had no breach detection capability whatsoever.

Furthermore, more than two out of three respondents both in Ireland and globally said that up to 50% more budget was needed to keep their organisation within its risk appetite, highlighting a requirement for increased funding within organisations to mitigate against growing cyber threats. Irish organisations however are on the right trajectory, with security budgets continuing to rise and almost two thirds (65%) of executives surveyed saying that their organisation’s information security budget had increased in the past 12 months. The research also found that the adoption of cyber insurance is maturing more rapidly in Ireland than elsewhere, with nearly two in five (39%) Irish respondents already having cyber insurance that meets their needs – 50% more than the global average – and a further one in five (20%) actively looking for appropriate cover.

Commenting on the findings, Hugh Callaghan, Cyber Security Leader, EY Ireland said: “Our research shows that while Irish businesses are now more focussed than ever on managing cyber risk, they are still playing catch-up with cyber criminals, who continue to find ways around organisations’ security controls and exploit their employees’ lack of awareness to steal money and data. As advisors to clients across Ireland and internationally, we are also seeing an increase in cyber attacks that not only steal data but also destroy it. Indeed there is a real threat of a significant cyber security incident putting an unprepared organisation out of business for good, so there is an onus on companies to protect themselves by stepping up their focus and investment in tackling this threat.”

Looking beyond investment in cyber defences and risk mitigation, half (50%) of executives surveyed said that their boards had insufficient knowledge of information security to fully evaluate the risks the organisation is facing and the measures it is taking – mirroring the global position. Small wonder that only one in five (20%) organisations fully consider cyber security implications in their business strategy and plans, but at least a further two in five (44%) are planning a more thorough consideration.

On top of this, employee awareness was exposed as a significant vulnerability for Irish companies when it comes to dealing with cyber attacks. According to the survey, careless or unaware employees (36%) topped the list of factors increasing an organisation’s risk exposure. Compounding this, poor employee awareness and behaviour was perceived by 85% of executives as the biggest risk in relation to the increased use of mobile devices in their organisation, with a further two in five (39%) stating that it was the leading cause of the most significant cyber breach experienced by their company in the past 12 months. It is therefore no surprise that security awareness topped the list of priorities for both Irish and global organisations in the next 12 months, with three in four (75%) executives ranking it as their highest priority.

Newly expanded state-of-the-art cyber facility opened in Dublin

In response to these increasing threats, EY today opened its newly expanded Advanced Security Centre (ASC), which is the largest cyber facility of its kind within the professional services sector in Ireland. Located in the firm’s headquarters on Harcourt Street, Dublin, the ASC hosts the firm’s dedicated cyber security team who conduct ethical hacking, computer forensics and vulnerability research activities. With Security Operations Centres (SOCs) playing an increasingly essential role in helping businesses detect cyber attacks before they become a business-impacting breach, the ASC was purposely redesigned for EY's Managed SOC team. This team is dedicated to helping clients design, build and operate a SOC via a managed service model. The facility also houses the firm’s secure electronic evidence processing and analysis systems – both key components of its cyber breach response service capability.

Hugh Callaghan commented: “Companies are increasingly seeking innovative advice and solutions to manage their exposure to cyber risk and protect their bottom line, as well as their reputation. The people and technologies within this facility allow our cyber professionals to interact in real-time with others in EY’s network of ASCs around the world, allowing us to rapidly recognise new attacks as they unfold, identify solutions and help deploy them immediately – thus protecting our client companies from significant risk.”

This new facility, which doubles our capacity, will also enable the continued expansion of our service offering and capability to some of the largest multinational clients around the world. In recent years, we have grown to a team of over 50 cyber risk professionals, and we look forward to building on this momentum,” added Hugh.